Microsoft Office direct-edit functionality in hardened SharePoint environment

Working and troubleshooting in a highly secure and hardened environment has never been easy. Recently my end users have reported an issue related to editing Microsoft Office documents in SharePoint 2013 environment. When they open a document from SharePoint document library, such as Microsoft Word document, there is a window pop-up asking the message “How would you like to open this file?” with two options: Read Only and Edit. Whether they select an option, Microsoft Word client application always set opening document read-only mode. If they click Enable Editing then make changes, Microsoft Word client application always asks them to save to their computer locally while they wish to directly save to SharePoint library.

The environment is a bit of special with two domain controllers. One is used to issue SharePoint service account while another is responsible for end user accounts. The environment has been implemented and hardened by the corporate security policies (e.g. Windows Server, IIS hardening guideline).

Request Filtering related article: IIS Request Filtering Whitelist and SharePoint 2013

After a few investigations, I have realized that if I allow OPTIONS, PROPFIND and HEAD methods through Request Filtering (HTTP Verb), I will be able to edit then save back to SharePoint document library directly. The existing corporate security policy only allows GET and POST methods. OPTIONS, PROPFIND and HEAD methods are involved to make WebDAV functional.

When you open Microsoft Office document from SharePoint (or any other file server), Internet Explorer (IE) ends GET request to download the file to the Temporary Internet Files on the client machine. IE invokes Office to open the document. Office then starts trying to determine if the file can be authored or not so it can open the file for editing or read-only. Office will issue OPTIONS call on the parent folder of the Office document to determine server capability. In case OPTIONS call can’t return expected headers or valid response, Office again tries to determine if it can author against this server or not by using more WebDAV calls: HEAD, OPTIONS and PROPFIND. If all calls fail, Office will open the document read-only. When you want to edit the document, Office doesn’t trust your document so it asks you to save somewhere in your computer first.

The following references can help if you are required to provide justification to your security team in order to allow special methods for WebDAV call.


  1. SharePoint Ben
    April 27, 2015 — 10:55 am

    Great explanation Thuan! I’ve been dealing with the in-house security team about this rule. Now I can have your explanation for them. Thank you very much. You’ve save my days.

Leave a Reply

© 2018 The Soldier of Fortune.